Glossary term
CVSS
Also: Common Vulnerability Scoring System
Standardised scoring system for vulnerabilities with a 0-10 score. Current version CVSS v4.0 (2023). Measures Base, Temporal and Environmental Metrics. Often criticised for lack of exploitability signal.
Score tiers: 0-3.9 Low, 4-6.9 Medium, 7-8.9 High, 9-10 Critical. Base metrics: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Impact (C/I/A).
CVSS v4.0 vs v3.1: v4.0 introduces threat metrics (replacing temporal), environmental metrics, supplemental metrics and more granular impact definition. Not every vendor has moved to v4.0; a mixed world persists in 2025-2026.
Criticism: CVSS alone does not indicate actual exploitation. Modern programmes therefore add EPSS (likelihood of exploitation in the next 30 days) and KEV listing.
Related terms
CVE
Global identifier for publicly known security vulnerabilities in software and hardware. Format CVE-Y…
SBOM
Machine-readable inventory of all components in a software incl. versions, licences and dependencies…
CASB
Security layer between users and SaaS providing visibility (shadow IT discovery), data protection (D…
CNAPP
Gartner platform category that combines CSPM, CWPP, CIEM, KSPM, DSPM and IaC scanning into one tool.…
Compliance mapping
The explicit link between a decision (vendor, architecture, control) and the specific regulatory art…
Confidential Computing
Hardware-based isolation that keeps data encrypted during processing (data-in-use). Complements encr…
Critical ICT Third-Party Provider (CTPP)
ICT third-party provider designated critical by the European Commission under DORA Art. 31, falling …
CSPM
Software category for continuous review of cloud configurations against security benchmarks (CIS, NI…